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IN THE CLAIMS : 

1 - (Currently amended) A method of handling personally identifiable information, 
said method comprising: 

defining a limited number of privacy-related actions regarding said personally 
identifiable information; 

constructing a rule for each oiroumstanoo in which ono of said privacy-related 
actions, wherein eac h rule defines an action corresponding to an associated privacy- 
related action, a logical condition that identifies a condition under which a particular 
decision is generated, and a decision indicating a manner bv which said associated 
privacy-related action is to be performed rnav bo tok e n or mum ho takon ; 

allowing for the input of dynamic contextual information to precisely specify tho 
oondition for evaluation of said rule; 

creating a programming object containing a set of rules, wherein the set of rules 
comprises a t least one of said constructed rules; 

associating said programming object with said personally identifiable 
information; 

processing a request using the programming object containing said set of rules, 
wherein processing said request comprises: 

determining if said set of rules includes at least one rule having an action 
corresponding to an action specified in the request a condition that evaluates to 
**true." and a decision that indicates that the action is authorized: 

selecting a rule in the set of rules that has an action corresponding to said 
action s pecified in the request said condition that evaluates to 'true," and said 
decision that indicates that the action is authorized: and 

providing an output based on selecting said rule in the set of rules . 

2. (Original) The method of Claim 1, wherein said output is selected from the group 
consisting of 

authorizing said privacy-related action, 

authorizing said privacy-related action, plus specifying one or more tasks, 
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and denying said request but also suggesting what must be done to have said 
request approved. 

3. (Original) The method of Claim 1, wherein said output includes the specification 
of at least one additional action that must be taken. 

4. (Currently amended) A system for handling personally identifiable information, 
said system comprising: 

a processor: and 

a memory coupled to the processor, wherein the memory stores instructions 
which, when executed by the processor, cause the processor to: 

m e ans for d e fining define a limited number of privacy-related actions regarding 
said personally identifiable information; 

moans for constructing construct a rule for each circumstanc e in which one of said 
privacy-related actions , wherein each rule defines an action corresponding to an 
associated privacy-related action, a logical condition that identifies a condition under 
which a particular decision is generated, and a decision indicating a m anner hy which 
said associated privacy-related action is to be performed may b e tokon or must b e token: 

means for allowing for th e input of dynamic cont e xtual information to pr e cis e ly 
specify tho condition for evaluation of said rul e ; 

moons for creating create a programming object containing a set of rules, wherein 
the set of rules comprises at least one of said constructed rules; 

moons for associating associate said programming object with said personally 
identifiable information; 

mean s for proc e ssing process a request using the programming object containing 
said set of rules, wherein processing said request comprises: 

determining if said set of rules includes at least one rule having an action 

corresponding to an action specified in the request, a condition that evaluates to 

"true," and a decision that indicates that the action is authorized: 
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selecting a rule in the set of rules that has an action corresponding to said 
action specified in the request said condition that evaluates to "true," and said 
decision that indicates that the action is authorized: and 

m e ono for providing an output based on selecting said rule in the set of 

rules . 

. 5. (Original) The system of Claim 4, wherein said output is selected from the group 
consisting of 

authorizing said privacy-related action, 

authorizing said privacy-related action, plus specifying one or more tasks, 
and denying said request but also suggesting what must be done to have said 
request approved. 

6. (Original) The system of Claim 4, wherein said output includes the specification 
of at least one additional action that must be taken. 

7. (Currently amended) A computer program product comprising a computer-usable 
medium having computer ex e outablo instructions a computer readable program for 
handling personally identifiable information, wherein the computer readable program, 
when executed on a computing device, causes the computing device to ooid oomputor- 
e x e outabl e instructions comp rising: 

m e ans for defining define a limited number of privacy-related actions regarding 
said personally identifiable information; 

means for constructing construct a rule for each circumstanc e in whioh ono of said 
privacy-related actions , wherein each rule defines an action corresponding to an 
associated privacy-related action, a logical condition that identifies a condition under 
which a particular decision is generated, and a decision indicating a m anner h y which 
said associated privacy-related action is to be performed may bo token or must b e token ; 

ffaeaas- for allowing for tho input of dynamic contextual information to prooisoly 
sp e cify tho condition for evaluation of said rulo; 
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moona for cr e ating create a programming object containing a set of rules, wherein 
the set of rules comprises at least one of said constructed rules; 

means for associat ing associate said programming object with said personally 
identifiable information; 

m e ans for processing process a request using the programming object containing 
said set of rules, wherein processing said request comprises: 

determining if said set of rules includes at least one rule having an action 
corresponding to an action specified in the request, a condition that evaluates to 
"true/ 7 and a decision that indicates that the action is authorized: 

selecting a rule in the set of rules that has an action corresponding to said 
o action specified in the request, said condition that evaluates to "true," and said 

decision that indicates that the action is authorized: and 

moans for providing an output based on selecting said rule in the set of 

rules . 

8. (Currently amended) The computer - usable m e dium computer program product of 
Claim 7, wherein said output is selected from the group consisting of 

authorizing said privacy-related action, 

authorizing said privacy-related action, plus specifying one or more tasks, 
and denying said request but also suggesting what must be done to have said 
request approved. 

9. (Currently amended) The comput e r usabl e m e dium computer program product of 
Claim 7, wherein said output includes the specification of at least one additional action 
that must be taken. 

10. (New) The method of claim 1, wherein processing a request using said 
programming object containing said set of rules further comprises: 

identifying one or more tasks associated with said selected rule, if a decision of 
said rule indicates that said rule has associated tasks; 
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adding said one or more tasks specified for said privacy-related action to a list 
data structure associated with said programming object, wherein said list data structure 
contains one or more tasks for each rule associated with said programming data structure 
that has a decision indicating that said action identified in said request is authorized; and 

returning, in said output, said list data structure associated with said programming 

object. 

1 1 . (New) The method of claim 10, wherein said identifying of one or more tasks, 
adding said one or more tasks to a list data structure, and returning said list data structure 
are performed if said selected rule has a decision indicating that said action associated 
with said rule is obligated. 

1 2. (New) The method of claim 1 , wherein if a result of said determining if said set 
of rules includes at least one rule having an action corresponding to an action specified in 
said request, a condition that evaluates to "true," and a decision that indicates that said 
action is authorized, indicates that no such rule is present in said set of rules, said method 
further comprises: 

* denying said request; 

searching for one or more suggestion rules in said set of rules that have an action 
corresponding to said action specified in said request, a condition that evaluates to "true," 
and a decision that indicates that a suggestion is to be provided; and 

providing a suggestion, based on said one or more suggestion rules, indicating 
what operation needs to be performed in order for said action specified in said request to 
be authorized. 

13. (New) The method of claim 1, wherein said limited number of privacy-related 
actions define privacy-related actions that may be performed by one of a data subject that 
is identified by said personally identifiable information, a data user that requests access to 
said personally identifiable information, and a third party to which privacy-related 
notifications concerning said personally identifiable information may be sent. 
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14. (New) The method of claim 1, wherein said programming object is an empty 
form programming object that represents a paper form that may be completed by a 
provider of said personally identifiable information. 

15. (New) The method of claim 14, wherein associating said programming object 
with said personally identifiable information comprises: 

entering said personally identifiable information into fields of said empty form 
programming object, wherein said one or more rules of said programming object are 
applied to said personally identifiable information. 

16. (New) The system of claim 4, wherein said instructions further cause the 
processor to process a request using said programming object containing said set of rules 
by: 

identifying one or more tasks associated with said selected rule, if a decision of 
said rule indicates that said rule has associated tasks; 

adding said one or more tasks specified for said privacy-related action to a list 
data structure associated with said programming object, wherein said list data structure 
contains one or more tasks for each rule associated with said programming data structure 
that has a decision indicating that said action identified in said request is authorized; and 

returning, in said output, said list data structure associated with said programming 

object. 

17. (New) The system of claim 16, wherein said identifying of one or more tasks, 
adding said one or more tasks to a list data structure, and returning said list data structure 
are performed if said selected rule has a decision indicating that said action associated 
with said rule is obligated. 

1 8. (New) The system of claim 4, wherein if a result of said determining if said set of 
rules includes at least one rule having an action corresponding to an action specified in 
said request, a condition that evaluates to "true," and a decision that indicates that said 
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action is authorized, indicates that no such rule is present in said set of rules, said 
instructions further cause the processor to: 
deny said request; 

search for one or more suggestion rules in said set of rules that have an action 
corresponding to said action specified in said request, a condition that evaluates to "true," 
and a decision that indicates that a suggestion is to be provided; and 

provide a suggestion* based on said one or more suggestion rules, indicating what 
operation needs to be performed in order for said action specified in said request to be 
authorized. 

19. (New) The system of claim 4, wherein said programming object is an empty form 
programming object that represents a paper form that may be completed by a provider of 
said personally identifiable information. 

20. (New) The system of claim 19, wherein said instructions cause the processor to 
associate said programming object with said personally identifiable information by: 

entering said personally identifiable information into fields of said empty form 
programming object, wherein said one or more rules of said programming object are 
applied to said personally identifiable information. 



Page 8 of 12 
Adlsr et al. - 09/884,153 



PACE 11/15* RCVD AT 8/23/2003 2:59:32 PM [Eastern Daylight Time] » SVR:USPTO-EFXRF-6/26 • DNIS: 2738300 • CSIO:214 722 8533 • DURATION <mm-ss):05-42 



